Prevention through Design: 6 Gaps That Keep Risk Built In

NIOSH has promoted Prevention through Design since 2007, yet many organizations still invite EHS after the machine is bought, the layout is approved, and the exposure is already expensive to remove. This article shows 6 gaps that keep risk built into work, and gives EHS managers a sharper way to challenge design decisions before they become permanent hazards.

Why Prevention through Design is a risk-management issue

Prevention through Design means identifying and reducing occupational hazards during the design or redesign of premises, tools, equipment, substances, work processes and facilities. ANSI/ASSP Z590.3-2021 treats PtD as a way to address hazards and risks during design and redesign, while NIOSH connects it directly with the upper levels of the hierarchy of controls.

The thesis of this article is simple: PtD fails when it becomes a safety review at the end of an engineering project. By then, elimination and substitution have already been priced out, engineering controls have become retrofits, and the site is left defending the design with procedures, training and PPE.

Across 25+ years leading EHS in multinational operations, Andreza Araujo has seen that strong safety culture depends on early decisions, not heroic compensation at the work front. As she argues in A Ilusao da Conformidade, glossed in English as The Illusion of Compliance, formal approval can hide weak control logic when leaders confuse a signed review with a safer system.

1. The safety review starts after procurement has chosen the option

The first gap appears when procurement evaluates price, delivery time and technical performance before safety has defined what the design must prevent. OSHA's hazard prevention guidance says employers should identify control options and select controls through the hierarchy, which means the control conversation belongs before purchase approval, not after installation.

What most PtD summaries understate is the commercial lock-in. Once a supplier is selected, the organization has already created sunk cost, delivery pressure and political ownership. EHS can still ask for guards, interlocks, access platforms or ventilation, but those requests now look like delays rather than design criteria.

For an EHS manager, the practical fix is a procurement gate. Any equipment, chemical, layout, tool, contractor method or software that can affect serious exposure should require a short PtD note before purchase order release. That note should name the hazard, the intended level in the hierarchy of controls, the rejected safer alternatives and the person who accepted the residual risk.

2. The design team treats EHS as a reviewer, not a design constraint

The second gap is structural. Engineering, operations, maintenance and procurement often see EHS as the group that comments on the nearly finished plan. PtD requires the opposite. Safety must become a design constraint alongside throughput, quality, maintainability, energy, hygiene and cost.

In Safety Culture: From Theory to Practice, Andreza Araujo argues that culture becomes visible in repeated decisions. The repeated decision in weak PtD is the belief that safety can be added later. That belief pushes the organization down the hierarchy, away from elimination and substitution, toward administrative controls that depend on perfect human behavior.

Give EHS a formal design seat with decision rights. In a capital project, the EHS representative should be able to block approval until the team has tested access, isolation, ergonomics, emergency response, maintainability, contractor exposure and foreseeable misuse. A reviewer comments on documents. A design constraint changes the design while change is still cheap.

3. The risk register records the hazard but not the design decision

The third gap is a traceability failure. A risk register may say that a hazard exists, but it rarely shows which design options were considered before the organization accepted the exposure. ISO 31000:2018 supports risk-management principles and guidelines, yet the practical value is lost when the register stores ratings without the story behind the control choice.

Across more than 250 cultural-transformation projects supported by Andreza Araujo's team, one recurring weakness is that companies document the existence of risk more carefully than the decision that created or reduced it. That is why a risk register can look mature while the field still works around poor access, awkward lifting points, blind traffic corners or isolation points placed in dangerous positions.

The register should include a design-decision field for high-risk items. Link the hazard to the procurement record, MOC package, drawing revision, rejected option and verification evidence. If the register was recently rebuilt, use the same discipline described in risk register cleanup so design assumptions do not disappear after commissioning.

4. MOC checks change, but misses accumulated exposure

The fourth gap happens inside Management of Change. A single change may look minor: a new valve position, a temporary access route, a revised cleaning method, a different pallet height, a new chemical concentration or a faster cycle time. The exposure appears when several minor changes combine into a work system nobody originally designed.

James Reason's Swiss Cheese Model is useful here because it shows how latent conditions can align over time. Andreza Araujo's work adds the culture test: if the organization normalizes every small exception, the final design is not the one approved in the drawing. It is the one created by tolerated drift.

PtD should therefore be built into MOC as an accumulated-exposure question. Ask whether the change pushes the task lower in the hierarchy of controls, increases reliance on administrative controls, removes physical separation, worsens ergonomics, weakens emergency access or changes who can verify the critical control. A simple What-If Analysis field review can expose this before the altered work becomes routine.

5. The team counts engineering controls without testing independence

The fifth gap is overconfidence in the word engineering. A guard, interlock, ventilation system, alarm or barrier may sound strong, but its value depends on independence, availability, maintainability, bypass potential and failure response. Engineering controls are not automatically reliable because they are physical.

ANSI/ASSP Z590.3-2021 and the NIOSH PtD initiative both point safety professionals toward design-stage prevention, but neither intention protects the worker if the selected control is easy to defeat, hard to inspect or dependent on a hidden maintenance routine. The design question is not whether a control exists. It is whether the control still protects people when production is late, parts are scarce and supervisors are under pressure.

For high-severity risk, treat PtD controls like critical controls. Define the performance standard, inspection frequency, owner, proof of availability and escalation rule when the control is impaired. Where major hazards are involved, compare the selected design with LOPA protection layers so a claimed safeguard is not counted twice or accepted without independence.

6. Residual risk is accepted without a rejected-controls record

The sixth gap appears when the organization accepts residual risk without documenting which stronger controls were rejected. HSE's ALARP guidance asks duty holders to reduce risk as low as reasonably practicable, which requires a real comparison between the risk and the sacrifice needed to reduce it further. Without rejected-controls evidence, ALARP can become a sentence that protects the budget.

During her tenure at PepsiCo South America, where the accident ratio fell 50% in six months, Andreza Araujo learned that leaders change results when they make control choices visible. PtD needs the same visibility. If elimination, substitution or safer layout was rejected, the reason should be written, owned and reviewed by someone with enough authority to accept the consequence.

Use a rejected-controls record for any PtD decision that leaves SIF exposure in the system. It should list the option, estimated risk reduction, reason for rejection, decision owner, review date and compensating controls. The record should connect with ALARP decisions, because residual risk is not mature governance unless the stronger options were seriously tested first.

Prevention through Design compared with late-stage safety review

The difference between PtD and late review is not terminology. It is the moment when safety has authority to change the system.

This comparison gives leaders a practical audit question: when did safety still have power to change the design? If the answer is "after approval", the organization is not practicing PtD. It is managing the consequences of decisions already made.

Conclusion: design is where safety becomes cheap or expensive

Prevention through Design is not a decorative standard reference. It is a management discipline that decides whether risk is removed early or defended later with behavior, supervision and paperwork.

For organizations that want PtD to become real safety culture, Andreza Araujo's books, ACS Global Ventures diagnostics and Safety School programs connect design decisions, safety leadership, risk perception and critical-control verification. Start with the next purchase or redesign, because that is where safety is still about coming home rather than explaining why exposure was built in.